Wednesday, September 17, 2008

Consumerization - The End of Corporate Security (as we know it)

Source: Palo Alto Networks "The Application Usage and Risk Report" (Fall 2008 Edition)

Don't act so surprised. I wrote about this a long, long, long time ago...

Consumer-driven technologies are driving IT Security into oblivion, and security managers mad. Palo Alto networks confirms that we're losing the battle against the great unknown risk brought in by the users, or someone other than IT administrators and corporate IT types. This quote is priceless...

"The report supports the notion that employee application usage within the enterprise is akin to the wild west where anything and everything is fair game."
First though, I'd like to give some credit to Tim Wilson of for publishing the Palo Alto findings, and doing some analysis - but I'm going to take a slightly different angle.

Remember when IT Security didn't exist? You went to work for a company and were issued a desktop, of for the lucky ones we got a laptop - and were sent on your merry way. You got the standard set of business tools (and some of us even got a "coreload" which was uniform among all the machines issued), and then were left to your own devices as administrator of your local machine. Cool! You installed instant messaging clients, P2P programs, and other neat stuff like those games that were so neat that you could play in your spare time [read: during meetings]. Then IT Security came into the picture somewhere along the way, and started to spoil the fun. Security started issuing mandates like "you can't install KaZaA on a company-issued machine"... what was that all about? Good thing they had no teeth and couldn't enforce it, right?

Fast-forward to today and many larger, better-managed enterprises (and some lucky smaller companies) have a lock-down policy on the gear they issue you. Problem is, they [still] can't cover every angle you can take to "install stuff". For example, most rediculously built applications still require you to be administrator to run them - so IT Security has to back off until this gets fixed, and in the mean time you play widget golf or what-not, connect your iPod [with the necessary iTunes + QuickTime .. and RealAudio... and Safari?] and your GPS so you can synch your maps, and a USB memory stick so you can "back up" all your music and listen to it off the player on your work machine... and it goes on and on.

Before we [IT Security] know it, there are iPhones, gadgets of all kinds connected to our network doing who-knows-what, and we have no clue how to control it. Now let me bring in this survey that I've mentioned in the very first line of this story. Yes folks, consumerization is real and it's taking over your systems, clogging your network pipes and causing security vulnerabilities that you can't even dream of yet. This report from Palo Alto only validates what I've been saying for years now. An old manager of mine over at GE Consumer Finance (you know who you are) used to talk about how consumerization will be the death of corporate IT security - could he have been any more right?

Look at the report, read it and let it soak in - we've lost control. Given this knowledge of the inevitable your next question is likely "OK smarta**, so now what? What are you proposing?" Here's what I'm proposing... rather than trying to spend so much time restricting what users can install, what they can do, and what they can hook up to their PCs - why not just set a baseline for allowed activity - and write a security policy that allows for random audits and HR actions as a result of failing an IT Security audit. Yes, this all sounds nice in theory - but there is more to it. You have to take a few steps first... let me outline it for you as I see it -

  1. Write a solid policy about usage of company assets. Be strict on what is allowed, what is not allowed, and what reprecussions are. You must spell things out clearly, and notify your users that they will be checked against this policy and HR will be called when they violate this policy. Be prepared to take this to HR for approval and then be ready to act on this policy
  2. Institute a basic baseline for work PCs and technology. Perform basic steps to lock down issued hardware to a reasonable degree, and the rest of your networks, assets and IP in a way that makes sense (notice I didn't say spend rediculous amounts on tools and monitoring equipment...). Make sure your policy makes sense for you and your user base. Allow folks to be able to do the things they want to do (and will do behind your back) securely! This means implement a proxy-only environment that detunnels all traffic, and does egress filtering for DLP compliance. It's not easy - but it's a great way to go and lets your users know you're not trying to enclose them in a cell all day - just that you're looking out for your company's interests
  3. Be prepared to audit the systems, networks and gadgets that are out there in your corporate micro-chosm. Given that you should now have a policy against certain types of actions, make sure you can reliably detect those actions and issues so as to report on them. Accurately and reliably are the keys here - you can't mess this up.
There... that coupled together will make for a sound policy that I think both you [assuming your the CISO/IT Sec Leader] and your company can live with - and you won't need to take out a government loan to get it done.

Some additional reading:


Rob Lewis said...

Do you think the main problem is that they still can not enforce policies regarding device use?

Rafal said...

@Rob - I would surmise that the [in]ability to enforce policies regarding device use is a major player in this crisis, brought-upon by the operating systems manufactures and hardware manufacturers (yes, it's Microsoft's fault again). Features over responsibility to corporate America is what is driving this problem...

To answer your question directly - yes.

Scott said...

The issue I would expect to encounter is when the business is using consumer technologies to achieve a business goal. It becomes security vs. "the business" and we know who usually wins that one. (Hint - not security).

The risk of using consumer technology needs to be clearly communicated to the business in order to reverse the current trends. If you can't convey the risk (and demonstrate that the risk outweighs the benefits) then you don't really have a case for denying the use of that technology.

Besides, someone out there with some security savviness will figure out the risk and come up with a gadget to secure this crap. It'll be acquired by Symantec and made part of Endpoint Protection For Dummies, and everyone will go on their merry way.

Rafal said...

@Scott - *maybe* - but more than likely the next time some iPhone-esque thing comes along and completely and utterly disrupts corporate network space, or does "weird things" when people try to attach it to their [work] laptops we [IT Security] will be brought to before the firing squad and asked why we didn't prevent this.

The answer will be simple - we can't, because that is the nature of viral consumer technologies - they're built with a total and utter lack for corporate-type security function.